oss-sec mailing list archives

Re: CVE Request: KDE Pim

From: David Faure <faure () kde org>
Date: Tue, 17 Jul 2012 14:06:40 +0200

On Tuesday 17 July 2012 10:18:06 laurent Montel wrote:

Security problem is that we allows to use javascript.
In 4.4 we don't have it.


And here's a testcase for the actual bug.
In kmail, Ctrl+O, open this .mbox, click on the HTML version, enable HTML 
rendering, a javascript messagebox pops up.
Not sure what can really be exploited here (xmlhttprequest?), but at least 
this way one can prove that 4.4 isn't affected, and test the 4.9 fix.

-- 
David Faure, faure () kde org, http://www.davidfaure.fr
Sponsored by Nokia to work on KDE, incl. KDE Frameworks 5

Attachment: html.mbox
Description:

Current thread:

CVE Request: KDE Pim Marc Deslauriers (Jul 13)
- Re: CVE Request: KDE Pim Kurt Seifried (Jul 13)
  - Re: CVE Request: KDE Pim Vincent Danen (Jul 16)
    - Re: CVE Request: KDE Pim laurent Montel (Jul 17)
    - Re: CVE Request: KDE Pim David Faure (Jul 17)
    - Re: CVE Request: KDE Pim Tomas Hoger (Jul 17)
    - Re: CVE Request: KDE Pim Vincent Danen (Jul 17)
    - Re: CVE Request: KDE Pim Kurt Seifried (Jul 17)
    - Re: CVE Request: KDE Pim David Faure (Jul 17)